Q&A – Secure Bootloader Webinar Nov 29, 2017

I’ve had several requests to post the Q&A from my webinars so that attendees can review them offline. After giving it some consideration, I think making these Q&A sessions available on my blog is a great way for engineers who weren’t able to attend still learn something.

Below are the compiled questions and answers from Secure Bootloader Design Techniques that was originally held on Nov 29, 2017. If you missed the webinar, you can still view it here.

Questions

Answers

Are there many product lines that provide *assymmetric* cryptography functions in hardware, or is this usually just done in software where needed?

Yes. With IoT devices, more and more MCU’s targeted for that market are including these capabilities.

did you use a SDA optimization in your bootloader ?

do the optimizations were just set to default. The code size could probably be squeezed a fair amount.

The Atollic IDE you are using is the Free version or the Pro version?

The pro version is being used but all the examples will run in the free version

is there any way we can get the ppt after the webinar ends?

a pdf can be provided.

Isn’t there a big disadvantage of using a private key scheme since the part can just be decapped and the private key read from flash using a microscope?

Yes. There is also an issue where if you don’t have the right tools and forget your key or lose it, the device is now bricked.

For the scenario of sharing firmware with a manufacturing partner: do you know of any production programmers with ‘secure remote’ access that we could use to load firmware into without passing it to our partner first?

Yes. SEGGER has a secure flash unit that can be used to protect and program a device.

For devices that don’t have dedicated secure key storage, do you think that typical flash readout protections are adequate to protect private keys?

It will depend on the application. I’ve seen quite a few devices that let you set a value and then once set you need to know the key before the MCU will let you access “extra” functions like reading and programming. These are probably a first layer okay. In many cases, security is about building up multiple defenses so that if one layer is breached, another can act as a block. The goal is to have enough road blocks in place that a would be hacker deems it too much work or not worth the ROI to attack and break the system.

which kind of scheduler you have in the bootloader ?

the bootloader uses the simple cooperative schedule on the insights page of beningo.com. If you are interesting in knowing more about it you can email [email protected]

Is there an external security chip for holding keys and doing encryption with an open interface where you don’t need an NDA?

There are devices called secure elements. I know that ST Microelectronics does make them. You can take a look on their website. I’m also going to be writing several blogs and papers on these topics over the next several months and will send them out with my newsletter.

And how do you protect the keys used on your device from being changed when the device is in the attacker’s hands?

You use a microcontroller that has secure storage, an area in flash that can be written once and never read from externally.

Wikipedia defines pub key crypt like this: https://en.wikipedia.org/wiki/File:Public_key_encryption.svg And it makes sense b/c the pub key is public, can be known by the public and therefore only used for encryption but not decryption. The priv key is private because it can decrypt data.

Thanks!

how you check the software integrity of the application before jumping to it ?

several different ways, first you can generate a hash and make sure it matches (was not modified), then you can verify that the reset vector has been programed and then verify that there isn’t a request to stay in the bootlaoder. If all these pass, then the bootloader jumps to the application.

Are these “secure elements” the same as “Trusted Plattform Modules”, they seem to be advertised different and cost less than TPMs

No there is a difference. The TPM has a MCU inside where to the secure element does not

symmetric cryptography raise a question how to securely imprint private key in actual device. Any comment about this?

This usually has to be done at the time of manufacturing. You could use a flash tool from SEGGER for example. They have a secure tool that can program keys.

Implementing encryption algorithms on your own is seldom a good idea. Slight flaws in implementation may lead to security leaks allowing hackers to break in easily. Can you suggest off-the-shelf libraries to be used for that?

I usually look to WolfSSL as one example for encryption libraries.

What is a S-Record ?

an application image format that is used to transfer an application.

The digital signatures would need some form of public key distribution system. How can this happen in large IoT/WSN distributions without introducing large latencies into the networks?

The public key can be distributed ahead of time or during the transaction.

Why initial vector not shared??

It’s used to provide a method for randomization to make the data stream more difficult to hack

if even the hash can be broken
so there is no way to say that we can have a secure boot code

if they have been broken. There are many that have not been.

so do you send two copy of digest in digital signature option

just one copy

Is the bootloader code always starts with an assembly language instruction (mandatory)?

Usually the start-up code for the bootloader is in assembly language and provided by the chip manufacturer. An example will be shown on how you can jump from the bootloader to the application code and it doesn’t have to use assembly code.

How we define where from to start executing instructions for controller, as soon as we power up the controller ?

yes. there is start-up code that is jumped to from the reset vector that initializes the cpu and then jumps to the bootloader main code to star the bootloader.

I think the firmware and signature is switched

Does it make a difference if you calculate hash and signature from AES crypted or uncrypted content from security POV (and reverse engineering effort needed to figure scheme out)?

it shouldn’t matter

What prevents to rewrite the bootloader only and then do any unsecure things?

The bootloader should be locked using the flash security bits on the microcontroller so that the bootloader cannot be erased and rewritten.

difference between public and private key?

private key you put in a vault and don’t share with anyone. Otherwise the system is compromised. Public keys are available freely to everyone.

What is “mode” in AES?

CBC

Cryptography relies on *good* random number generators. How can I know that the bit of hardware I can find in my system is *good*?

You need to dive into the datasheet to see how random the number generator is. I would look for devices that have TRNG which is a true random number generator.

Why not CTR??

it’s an option. Just not discussed in this lecture.

Where do you store encrypted image before process?

They could be stored on a host machine, server or even downloaded to a local memory source such as SD memory.

For assessing a TRNG I need to become an expert in cryptography and HW development. Any suggestions on how to reduce effort here? 3rd party companies who can do that? Publicly accessible information on assesments of the different implementations in different devices done by such experts?

You could use a security firm that specializes in this area. There are several around that have been started by former NSA employees.

Does CBC have patent issues??

You would need to consult your patent attorney on this.

Which Hashing Algorithm is more energy efficient?

This will depend on the hardware acceleration that is on the microcontroller. You should select a microcontroller that has a cryptographic hardware accelerator and select an algorithm that is supported by it for the most efficient execution.

Can we see the startup code which define the rules of startup/loading bootloader?

We already looked at this. You will need to review the recording when the webinar is complete.

So how do you do it, when doing a “secure” boot loader? Just rely on the HW capabilities and hope that the chip vendor did a good job without any further checking?

You can define the level of security you need, identify the risks, evaluate the hardware and then develop a solution that has multiple layers of security. Security isn’t a one stop thing you do but you layer solutions so that if one layer is breached the other layers help protect the solution.

How an one securely distribute keys for digital signing in a large IoT deployment where the broadcast nature of the netowrk is vulnerable to eavedropping and man in the middle attacks?

So for digital signing, you don’t care if everyone has the public key. The goal with signing is to verify that the firmware is from the manufacturer and not some other source. Only the manufacturer should have the private key which is used to encrypt the signature. Anyoen can decrypt it and verify the firmware.

Are the Hash, Symmetric Key, RSA codes availables??

They are usually available depending on the microcontroller vendor that you are using or availability through 3rd party components.

It seems to be Group-Theoretic Cryptography is the most energy efficient security system, not sure why it is not getting adopted in the industry.

I am not sure either.

AES encryption needs and Initial vector, this can be a random number. For decryption the initial vector has to be the same, so how can we know the initial vector in the encryption if this is a random number?

The recommendation is to use a new IV for every message. The IV is not needed for decryption but it helps to randomize the data so that replaying messages cannot be used as an attack vector.

back to the slide with the data encryption. There was an initial vector used for encryption. this initial vector is also required for decryption, right? if that is the case how is it securely transfered to the bootloader / or shall it be stored permanently on the device?

it is not required for decryption. The random number is used to randomize a data field so that a replay attack cannot be used to break the system